Refactor: modify certificate codes (#514)

openyurtio · Oct 11, 2021 · eb3eab7 · eb3eab7
1 parent 0386d05
commit eb3eab7
Show file tree

Hide file tree

Showing 7 changed files with 285 additions and 289 deletions.
diff --git a/cmd/yurt-controller-manager/app/controllermanager.go b/cmd/yurt-controller-manager/app/controllermanager.go
@@ -287,7 +287,7 @@ var ControllersDisabledByDefault = sets.NewString()
 func NewControllerInitializers() map[string]InitFunc {
 	controllers := map[string]InitFunc{}
 	controllers["nodelifecycle"] = startNodeLifecycleController
-	controllers["yurthubcsrapprover"] = startYurtHubCSRApproverController
+	controllers["yurtcsrapprover"] = startYurtCSRApproverController
 
 	return controllers
 }

diff --git a/cmd/yurt-controller-manager/app/core.go b/cmd/yurt-controller-manager/app/core.go
@@ -55,10 +55,10 @@ func startNodeLifecycleController(ctx ControllerContext) (http.Handler, bool, er
 	return nil, true, nil
 }
 
-func startYurtHubCSRApproverController(ctx ControllerContext) (http.Handler, bool, error) {
+func startYurtCSRApproverController(ctx ControllerContext) (http.Handler, bool, error) {
 	clientSet := ctx.ClientBuilder.ClientOrDie("csr-controller")
 	go certificates.NewCSRApprover(clientSet, ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests()).
-		Run(certificates.YurtHubCSRApproverThreadiness, ctx.Stop)
+		Run(certificates.YurtCSRApproverThreadiness, ctx.Stop)
 
 	return nil, true, nil
 }
diff --git a/cmd/yurt-tunnel-server/app/start.go b/cmd/yurt-tunnel-server/app/start.go
@@ -24,7 +24,6 @@ import (
 	"github.com/openyurtio/openyurt/cmd/yurt-tunnel-server/app/config"
 	"github.com/openyurtio/openyurt/cmd/yurt-tunnel-server/app/options"
 	"github.com/openyurtio/openyurt/pkg/projectinfo"
-	"github.com/openyurtio/openyurt/pkg/yurttunnel/constants"
 	"github.com/openyurtio/openyurt/pkg/yurttunnel/dns"
 	"github.com/openyurtio/openyurt/pkg/yurttunnel/handlerwrapper/initializer"
 	"github.com/openyurtio/openyurt/pkg/yurttunnel/handlerwrapper/wraphandler"
@@ -33,8 +32,8 @@ import (
 	"github.com/openyurtio/openyurt/pkg/yurttunnel/pki/certmanager"
 	"github.com/openyurtio/openyurt/pkg/yurttunnel/server"
 	"github.com/openyurtio/openyurt/pkg/yurttunnel/util"
-
 	"github.com/spf13/cobra"
+
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2"
 )
@@ -109,16 +108,8 @@ func Run(cfg *config.CompletedConfig, stopCh <-chan struct{}) error {
 		return err
 	}
 	serverCertMgr.Start()
-	go certmanager.NewCSRApprover(cfg.Client, cfg.SharedInformerFactory.Certificates().V1beta1().CertificateSigningRequests()).
-		Run(constants.YurttunnelCSRApproverThreadiness, stopCh)
-
-	// 3. generate the TLS configuration based on the latest certificate
-	tlsCfg, err := pki.GenTLSConfigUseCertMgrAndCertPool(serverCertMgr, cfg.RootCert)
-	if err != nil {
-		return err
-	}
 
-	// 4. create handler wrappers
+	// 3. create handler wrappers
 	mInitializer := initializer.NewMiddlewareInitializer(cfg.SharedInformerFactory)
 	wrappers, err := wraphandler.InitHandlerWrappers(mInitializer)
 	if err != nil {
@@ -128,7 +119,7 @@ func Run(cfg *config.CompletedConfig, stopCh <-chan struct{}) error {
 	// after all of informers are configured completed, start the shared index informer
 	cfg.SharedInformerFactory.Start(stopCh)
 
-	// 5. waiting for the certificate is generated
+	// 4. waiting for the certificate is generated
 	_ = wait.PollUntil(5*time.Second, func() (bool, error) {
 		// keep polling until the certificate is signed
 		if serverCertMgr.Current() != nil {
@@ -138,6 +129,12 @@ func Run(cfg *config.CompletedConfig, stopCh <-chan struct{}) error {
 		return false, nil
 	}, stopCh)
 
+	// 5. generate the TLS configuration based on the latest certificate
+	tlsCfg, err := pki.GenTLSConfigUseCertMgrAndCertPool(serverCertMgr, cfg.RootCert)
+	if err != nil {
+		return err
+	}
+
 	// 6. start the server
 	ts := server.NewTunnelServer(
 		cfg.EgressSelectorEnabled,

diff --git a/pkg/controller/certificates/csrapprover.go b/pkg/controller/certificates/csrapprover.go
@@ -37,23 +37,25 @@ import (
 	"k8s.io/klog"
 
 	"github.com/openyurtio/openyurt/pkg/projectinfo"
-	"github.com/openyurtio/openyurt/pkg/yurthub/certificate/server"
 )
 
 const (
-	YurtHubCSRApproverThreadiness = 2
+	// yurthub PKI related constants
+	YurthubCSROrg = "openyurt:yurthub"
+	// yurttunnel PKI related constants
+	YurttunnelCSROrg           = "openyurt:yurttunnel"
+	YurtCSRApproverThreadiness = 2
 )
 
-// YurtHubCSRApprover is the controller that auto approve all
-// yurthub related CSR
-type YurtHubCSRApprover struct {
+// YurtCSRApprover is the controller that auto approve all openyurt related CSR
+type YurtCSRApprover struct {
 	csrInformer certv1beta1.CertificateSigningRequestInformer
 	csrClient   typev1beta1.CertificateSigningRequestInterface
 	workqueue   workqueue.RateLimitingInterface
 }
 
-// Run starts the YurtHubCSRApprover
-func (yca *YurtHubCSRApprover) Run(threadiness int, stopCh <-chan struct{}) {
+// Run starts the YurtCSRApprover
+func (yca *YurtCSRApprover) Run(threadiness int, stopCh <-chan struct{}) {
 	defer runtime.HandleCrash()
 	defer yca.workqueue.ShutDown()
 	klog.Info("starting the crsapprover")
@@ -69,12 +71,12 @@ func (yca *YurtHubCSRApprover) Run(threadiness int, stopCh <-chan struct{}) {
 	klog.Info("stoping the csrapprover")
 }
 
-func (yca *YurtHubCSRApprover) runWorker() {
+func (yca *YurtCSRApprover) runWorker() {
 	for yca.processNextItem() {
 	}
 }
 
-func (yca *YurtHubCSRApprover) processNextItem() bool {
+func (yca *YurtCSRApprover) processNextItem() bool {
 	key, quit := yca.workqueue.Get()
 	if quit {
 		return false
@@ -97,7 +99,7 @@ func (yca *YurtHubCSRApprover) processNextItem() bool {
 		return true
 	}
 
-	if err := approveYurtHubCSR(csr, yca.csrClient); err != nil {
+	if err := approveCSR(csr, yca.csrClient); err != nil {
 		runtime.HandleError(err)
 		enqueueObj(yca.workqueue, csr)
 		return true
@@ -119,8 +121,8 @@ func enqueueObj(wq workqueue.RateLimitingInterface, obj interface{}) {
 		return
 	}
 
-	if !isYurtHubCSR(csr) {
-		klog.Infof("csr(%s) is not %s csr", csr.GetName(), projectinfo.GetHubName())
+	if !isYurtCSR(csr) {
+		klog.Infof("csr(%s) is not %s csr", csr.GetName(), projectinfo.GetProjectPrefix())
 		return
 	}
 
@@ -133,10 +135,10 @@ func enqueueObj(wq workqueue.RateLimitingInterface, obj interface{}) {
 	klog.V(4).Infof("approved or denied csr, ignore it: %s", key)
 }
 
-// NewCSRApprover creates a new YurtHubCSRApprover
+// NewCSRApprover creates a new YurtCSRApprover
 func NewCSRApprover(
 	clientset kubernetes.Interface,
-	csrInformer certinformer.CertificateSigningRequestInformer) *YurtHubCSRApprover {
+	csrInformer certinformer.CertificateSigningRequestInformer) *YurtCSRApprover {
 
 	wq := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())
 	csrInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
@@ -147,25 +149,26 @@ func NewCSRApprover(
 			enqueueObj(wq, new)
 		},
 	})
-	return &YurtHubCSRApprover{
+	return &YurtCSRApprover{
 		csrInformer: csrInformer,
 		csrClient:   clientset.CertificatesV1beta1().CertificateSigningRequests(),
 		workqueue:   wq,
 	}
 }
 
-// approveYurtHubCSR checks the csr status, if it is neither approved nor
+// approveCSR checks the csr status, if it is neither approved nor
 // denied, it will try to approve the csr.
-func approveYurtHubCSR(
+func approveCSR(
 	obj interface{},
 	csrClient typev1beta1.CertificateSigningRequestInterface) error {
 	csr, ok := obj.(*certificates.CertificateSigningRequest)
 	if !ok {
+		klog.Infof("object is not csr: %v", obj)
 		return nil
 	}
 
-	if !isYurtHubCSR(csr) {
-		klog.Infof("csr(%s) is not %s csr", csr.GetName(), projectinfo.GetHubName())
+	if !isYurtCSR(csr) {
+		klog.Infof("csr(%s) is not %s csr", csr.GetName(), projectinfo.GetProjectPrefix())
 		return nil
 	}
 
@@ -180,26 +183,26 @@ func approveYurtHubCSR(
 		return nil
 	}
 
-	// approve the yurthub related csr
+	// approve the openyurt related csr
 	csr.Status.Conditions = append(csr.Status.Conditions,
 		certificates.CertificateSigningRequestCondition{
 			Type:    certificates.CertificateApproved,
 			Reason:  "AutoApproved",
-			Message: fmt.Sprintf("self-approving %s csr", projectinfo.GetHubName()),
+			Message: fmt.Sprintf("self-approving %s csr", projectinfo.GetProjectPrefix()),
 		})
 
 	result, err := csrClient.UpdateApproval(context.Background(), csr, metav1.UpdateOptions{})
 	if err != nil {
-		klog.Errorf("failed to approve %s csr(%s), %v", projectinfo.GetHubName(), csr.GetName(), err)
+		klog.Errorf("failed to approve %s csr(%s), %v", projectinfo.GetProjectPrefix(), csr.GetName(), err)
 		return err
 	}
-	klog.Infof("successfully approve %s csr(%s)", projectinfo.GetHubName(), result.Name)
+	klog.Infof("successfully approve %s csr(%s)", projectinfo.GetProjectPrefix(), result.Name)
 	return nil
 }
 
-// isYurtHubCSR checks if given csr is a yurthub related csr, i.e.,
+// isYurtCSR checks if given csr is a openyurt related csr, i.e.,
 // the organizations' list contains "openyurt:yurthub"
-func isYurtHubCSR(csr *certificates.CertificateSigningRequest) bool {
+func isYurtCSR(csr *certificates.CertificateSigningRequest) bool {
 	pemBytes := csr.Spec.Request
 	block, _ := pem.Decode(pemBytes)
 	if block == nil || block.Type != "CERTIFICATE REQUEST" {
@@ -209,15 +212,12 @@ func isYurtHubCSR(csr *certificates.CertificateSigningRequest) bool {
 	if err != nil {
 		return false
 	}
-	for i, org := range x509cr.Subject.Organization {
-		if org == server.YurtHubCSROrg {
-			break
-		}
-		if i == len(x509cr.Subject.Organization)-1 {
-			return false
+	for _, org := range x509cr.Subject.Organization {
+		if org == YurttunnelCSROrg || org == YurthubCSROrg {
+			return true
 		}
 	}
-	return true
+	return false
 }
 
 // checkCertApprovalCondition checks if the given csr's status is